ALIEN INCLUSION #

Proof of flag #

FLAG = ctf{b513ef6d1a5735810bca608be42bda8ef28840ee458df4a3508d25e4b706134d}

Summary of the vulnerabilities identified #

We can control which file we are includingg using the start post parameter and we can set it to the path of the flag.php file.

Proof of solving #

When we first access the page we are greeted by what seems to be the source code of the index.php file. Based on this source code, the name of the challenge and its description “Keep it local and you should be fine. The flag is in /var/www/html/flag.php.”, it is obvious we need to set the value of the “start” POST parameter to the absolute path of the flag and to also add a random value for the start GET parameter (also known as a query argument) in order to provent the exit on line 5 from ever being executed.

BASIC COMS #

Proof of flag #

FLAG = ctf{ca314be22457497e81a08fc3bfdbdcd3e0e443c41b5ce9802517b2161aa5e993}

Summary of the vulnerabilities identified #

Looking for http requests captured by Wireshark in the given file we find only 4 request, one of which contains our flag as a GET parameter.

Proof of solving #

Based on the challenge description and title, we know we are supposed to be looking for a “basic” protocol in the pcapng file. One of the most basic protocols available is http and we in Wireshark we can filter to look only at the http requests and responses. Since there are only 4 requests made and the fact that there is a somewhat encoded message which says “The content of the flag is” we can guess that

BAZOOKA #

Proof of flag #

ctf{9bb6df8e98240b46601db436ad276eaa635a846c9a5afa5b2075907adf39244b}

Summary of the vulnerabilities identified #

Just a super simple buffer overflow(Don’t need to tell me “Try Harder” mom).

Proof of solving #

The program in the first part prompts the user to input "#!@{try_hard3r}" to go on the vuln function, where the buffer overrun happens by using “%s” in the scanf format string and not “%Xs”, where X is a natural number. First I find the libc base address and use an ONE Gadget to land me on an execve("/bin/sh", 0, 0)

BRO64 #

Proof of flag #

ctf{f38deb0782c0f252090a52b2f1a5b05bf2964272f65d5c3580be631f52f4b3e0}

Summary of the vulnerabilities identified #

By connecting with netcat and sending some data you would get an HTTP Bad Request Error.

nc 35.198.183.125 31604
asdf
<head></head>
<title>Error response</title>

<body></body>
<h1>Error response</h1>
Error code 400.
Message: Bad request syntax ('asdf').
Error code explanation: 400 = Bad request syntax or unsupported method.

So the natural thing is to use curl. By using curl you whould get some and weird json data.

DARKMAGIC #

Proof of flag #

dctf{857ee5051eeccf7cbdfa0ab9986d32f89158429fc12348e15419a969ddcb6bfb}

Summary of the vulnerabilities identified #

The vulnerability was a format string + a buffer overflow.

Proof of solving #

You need to use the format string to leak the stack cookie and with the buffer overflow to redirect code execution to the getshell function. Everything happens in a loop and we overwrite the loop variable from 1 to 2 by sending 100 “A"s and a ‘\x02’ , and by sending “%35$p” you get the value of the stack cookie. I used 0x40087a to send the execution to a ret instruction because I get a misaligned stack and the program crashes.